Validating control of domain zone

ABSTRACT

A requestor requests a domain zone control validation from a validating entity. The validating entity generates a pass string. The requestor enters the pass string into a domain zone. The validating entity determines if the pass string was entered in the domain zone. If the pass string is present in the domain zone, the domain zone control was successfully validated.

FIELD OF THE INVENTION

The present invention relates to a method and system for validatingcontrol of a domain zone.

BACKGROUND OF THE INVENTION

The Internet comprises a vast number of computers and computer networksthat are interconnected through communication links. The interconnectedcomputers exchange information using various services, such aselectronic mail, Gopher, and the World Wide Web (WWW). The WWW serviceallows a server computer system (i.e., Web server or Web site) to sendgraphical Web pages of information to a remote client computer system.The remote client computer system can then display the Web pages. Eachresource (e.g., computer or Web page) of the WWW is uniquelyidentifiable by a Uniform Resource Locator (URL). To view a specific Webpage, a client computer system specifies the URL for the Web page in arequest (e.g., a HyperText Transfer Protocol (HTTP) request). Thesefollow the familiar format http://www.example.com uniquely identifyingthe particular resource. The request is forwarded to the Web server thatsupports that Web page to the client computer system. When the clientcomputer system receives that Web page, it typically displays the Webpage using a browser. A browser is a special-purpose application programthat effects the requesting of Web pages and the displaying of Webpages.

The domain name system (DNS) is the world's largest distributedcomputing system that enables access to any resource in the Internet bytranslating user-friendly domain names to IP Addresses. The process oftranslating domain names to IP Addresses is called Name Resolution. ADNS name resolution is the first step in the majority of Internettransactions. The DNS is in fact a client-server system that providesthis name resolution service through a family of servers called DomainName Servers. The hierarchical domain space is divided intoadministrative units called zones. A zone usually consists of a domain(say example.com) and possibly one or more sub domains(projects.example.com, services.example.com). The authoritative dataneeded for performing the name resolution service is contained in a filecalled the zone file and the DNS servers hosting this file are calledthe authoritative name servers for that zone. The DNS clients that makeuse of the services provided by authoritative name servers may be of twotypes. One type is called a stub resolver that formulates and sends aquery every time it receives a request from an application that requiresInternet service (e.g., a browser). The other type is called a caching(also called recursive/resolving) name server that caches the nameresolution responses it has obtained from authoritative name servers andthus able to serve multiple stub resolvers.

The zone file hosted on an authoritative name server consists of varioustypes of records called Resource Records (RRs). Associated with each DNSresource record is a type (RRtype). The code for these RRtypes isassigned by an international organization called Internet Assigned NamesAuthority (IANA). An RR of a given RRtype in a zone file provides aspecific type of information. Some of the common RRtype codes are: NS,MX, CNAME, and A. An NS RR in a zone file gives the fully qualifieddomain name (FQDN) of the host that is considered the name server forthat zone. For example, an NS RR in the zone file of the zoneexample.com may give the information that the hostns1.projects.example.com is a name server for the domainprojects.example.com. Similarly an MX RR gives the host name for a mailserver for the zone. An A RR gives the IP address for a host in a domainwithin the zone. CNAME provides “canonical name” records and maps namesin the zone file. A zone file generally consists of multiple RRs of agiven RRtype with some exceptions (e.g., there can be only SOA RR in azone file). It can also have multiple RRs for the same domain name andsame (or different) RRtype (e.g., multiple name servers or mail serversfor a domain services.example.com).

The DNS infrastructure consists of many different types of DNS servers,DNS clients and transactions among/between these entities. The mostimportant transaction in DNS is the one that provides the core serviceof DNS (i.e., name resolution service) and is called the DNSQuery/Response. A DNS Query/Response transaction is made up of a queryoriginating from a DNS client (generically called a DNS resolver) andresponse from a DNS name server. The response consists of one or moreRRs. These RRs may be served from its own zone file (for anauthoritative name server) or from a cache of RRs obtained from othername servers (for a caching/resolving/recursive name servers). In thisway, the DNS serves as a global, distributed database. Name servers(serving zone files) each contain a small portion of the global domainspace, and clients issue queries using a domain name and a desiredRRtype.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart showing a sample embodiment of a process ofvalidating a domain zone control.

FIG. 2 is a flowchart showing a sample embodiment of a process ofissuing a secure certificate using domain zone control validation.

FIG. 3A provides a sample email message that users may receive inconnection with domain zone control validation.

FIG. 3B provides a sample email message that users may receive inconnection with domain zone control validation.

FIG. 4A illustrates a sample domain zone file as text.

FIG. 4B illustrates a sample domain zone file with an addition of a PassString.

DETAILED DESCRIPTION

Referring to FIG. 1 a Requestor may request domain zone controlvalidation from a Validating Entity (Step 105). The Requestor is anindividual or an entity and typically is an owner, a registrant, or arecord holder for a domain name, or otherwise responsible formaintaining the domain name. A Validating Entity is a CertificationAuthority, a Domain Name Registrar, a Domain Name Registry, or any otherindividual or entity validating control of a domain zone.

Domain zone control means a control over a domain zone, or ownership,possession, authority, or caretaking of the domain zone, or ability toaccess and alter domain zone records or DNS records. Further controlover a domain zone often implies control over the domain name, i.e. aperson who has control over the domain zone often has control over thedomain name.

The request for a domain zone control validation may be received by theValidating Entity via email, through a website, or any other way. Inresponse to the request, the Validating Entity generates and issues aPass String and forwards (or otherwise communicates) it to the Requestor(Step 110). The Pass String (pass code, validation string, validationcode, etc.) is a numeric, alpha, or alphanumeric string or a numericvalue. Non alpha characters may be present in the Pass String as well.The Pass String may be unique for each domain name to reduce the chanceof impersonation in case of an attempt for an unauthorized domain zonecontrol validation.

The Requestor enters the Pass String into a domain zone (Step 115). Thedomain zone may be a flat text file or generated dynamically fromcomputer settings. The domain zone may be located on a server, such as aDNS server or a hosting server. Most domain zone files containspace-separated values, however there are implementations that providefor character-separated values or formatted with a markup language, suchas XML.

The Requestor may enter the Pass String into the fields specified by theValidating Entity. Preferably, the Pass String may be entered into thefields that have no or limited negative impact on the DNS resolutionprocess or computational performance.

For example, the Pass String may be entered into TXT or CNAME fields ofthe domain zone. TXT may contain any string parameter. CNAME is an aliasfor a host record. CNAME allows more than one DNS name for a hostrecord. CNAME records point back to an A record. So if the IP address ofthe A record is changed, all CNAME records pointed to that recordautomatically follow the new IP of the A record. Alternatively users mayhave multiple A records, but this requires multiple places to change theIP address, which increases the chance of error. Using CNAMEs makes DNSdata easier to manage. The most common CNAMEs are www and ftp. FIGS. 4Aand 4B illustrate a sample domain zone file before (view A) and after(view B) addition of the Pass String in the text of the file. FIG. 4Bshows a CNAME “pass-string123” (line 405) added to the sample domainzone file.

Additional information on DNS and its records may be found atMockapetris, RFC1035, Domain Names—Implementation and Specification,November 1987 and Rosenbaum, RFC 1464, Using the Domain Name System ToStore Arbitrary String Attributes, May 1993, which are both herebyincorporated in their entirety by reference.

The Validating Entity may determine if the Pass String was entered inthe domain zone (Step 120). Such determination may occur in a specifiedtime or the Validating Entity may query the domain zone with a specifiedtime interval until the Pass String appears in the domain zone. TheValidating Entity may use DNS lookup commands, such as “dig” fromcomputers running Unix, FreeBSD, or Linux operating systems or“nslookup” utility on Windows® or Unix computers.

In an alternative embodiment, illustrated in FIG. 2 the domain zonevalidation may be used to issue a secure certificate, such as an SSLcertificate. A Requestor may request a secure certificate for a domainname from a Validating Entity, such as a Certification Authority (Step205).

To verify that the Requestor has control over the domain name, theValidating Entity generates and issues a Pass String and forwards it tothe Requestor (Step 110). The Pass String is a numeric, alpha, oralphanumeric string or a numeric value. The Pass String may be uniquefor each domain name to reduce the chance of impersonation in case of anattempt for an unauthorized domain zone control validation. TheRequestor enters the Pass String into a domain zone (Step 115). TheValidating Entity determines if the Pass String was entered in thedomain zone (Step 120).

If the Validating Entity determines that the Pass String is present inthe domain zone (Step 225) according to the instructions given to theRequestor, the Validating Entity may issue the secure certificate (Step235). If the Pass String is not in the domain zone, then the ValidatingEntity may deny issuing the secure certificate to the Requestor (Step230). Of course additional methods of validation and authentication maybe used along with the domain zone validation.

The methods described above can be performed manually, partiallyautomated, or fully automated.

The above-described embodiments have been provided by way of example,and the present invention is not limited to these examples. Multiplevariations and modification to the disclosed embodiments will occur, tothe extent not mutually exclusive, to those skilled in the art uponconsideration of the foregoing description. Such variations andmodifications, however, fall well within the scope of the presentinvention as set forth in the following claims.

The Abstract accompanying this specification is provided to enable theUnited States Patent and Trademark Office and the public generally todetermine quickly from a cursory inspection the nature and gist of thetechnical disclosure and is in no way intended for defining,determining, or limiting the present invention or any of itsembodiments.

The invention claimed is:
 1. A system, comprising: a server computercoupled to a network and running a domain name system server software; adomain name zone file for a domain name, the domain name zone filehosted on the server computer and comprising at least one resourcerecord; and at least one processor on the server computer executinginstructions causing the server computer to: receive a transmissionencoding a request for a validation to modify the at least one resourcerecord; responsive to the request, generate: a validation string uniqueto the domain name zone file and the domain name; and at least oneinstruction for entering the validation string into the at least oneresource record in the domain name zone file; transmit the validationstring and the at least one instruction to a client computer coupled tothe network; query the domain name zone file to determine whether thevalidation string has been entered into the at least one resourcerecord; and responsive to a determination that the validation string hasbeen entered into the at least one resource record, validate themodification of the at least one resource record.
 2. The system of claim1, wherein the server computer is operated by a validating entitycomprising: a certification authority; a domain name registry; or adomain name registrar.
 3. The system of claim 1, wherein the at leastone resource record within the domain name zone file comprises: a TXTDNS record; or a CNAME DNS record.
 4. The system of claim 1, wherein theserver computer receives the request via: an email message; or awebsite.
 5. The system of claim 1, wherein the domain name zone file isa flat text file and is formatted using: space separated values;character separated values; or a markup language.
 6. The system of claim1, wherein the validation string comprises: an alphanumeric string; or anumeric string.
 7. A system, comprising: at least one processor runningon a server computer coupled to a network, the at least one processorexecuting instructions causing the server computer to: host a domainname zone file for a domain name, the domain name zone file comprisingat least one domain name system (DNS) record; receive a transmissionencoding a request for a validation to modify the at least one DNSrecord; responsive to the request, generate: a validation string uniqueto the domain name zone file and the domain name; and at least oneinstruction for entering the validation string into the at least one DNSrecord in the domain name zone file; and transmit the validation stringand the at least one instruction to a client computer coupled to thenetwork.
 8. The system of claim 7, wherein the server computer isoperated by a validating entity comprising: a certification authority; adomain name registry; or a domain name registrar.
 9. The system of claim7, wherein the at least one DNS record within the domain name zone filecomprises: a TXT DNS record; or a CNAME DNS record.
 10. The system ofclaim 7, wherein the server computer receives the request via: an emailmessage; or a website.
 11. The system of claim 7, wherein the domainname zone file is a flat text file and is formatted using: spaceseparated values; character separated values; or a markup language. 12.The system of claim 7, wherein the validation string comprises: analphanumeric string; or a numeric string.
 13. A method, comprising:hosting, by a server computer coupled to a network, a domain name zonefile for a domain name, the domain name zone file comprising at leastone domain name system (DNS) record; receiving, by the server computer,a transmission encoding a request for a validation to modify the atleast one domain name system (DNS) record; responsive to the request,generating, by the server computer: a validation string unique to adomain name zone file hosted on a server computer coupled to a network;and at least one instruction for entering the validation string into theat least one DNS record in the domain name zone file; and transmitting,by the server computer, the validation string and the at least oneinstruction to a client computer coupled to the network.
 14. The methodof claim 13, wherein the server computer is operated by a validatingentity comprising: a certification authority; a domain name registry; ora domain name registrar.
 15. The method of claim 13, wherein the atleast one DNS record within the domain name zone file comprises: a TXTDNS record; or a CNAME DNS record.
 16. The method of claim 13, whereinthe server computer receives the request via: an email message; or awebsite.
 17. The method of claim 13, wherein the domain name zone fileis a flat text file and is formatted using: space separated values;character separated values; or a markup language.
 18. The method ofclaim 13, wherein the validation string comprises: an alphanumericstring; or a numeric string.